"We all want to know if there has been a serious risk to our personal-health data," she told me. "But if we get notified for all incidents, including those of very low risk, we will become inured to the numerous notifications we are bound to receive."

So what should be done? Three things:

The path HHS takes will be closely watched by other jurisdictions that have not yet defined their own de-identification parameters. If we arrive in a world where personal data is never truly de-identified, we're going to need a risk-based approach to guide our way forward.

Jay Cline is a former chief privacy officer at a Fortune 500 company and is now president of . You can reach him at .